WHAT PROCEDURES
SHOULD COMPANIES
HAVE IN PLACE
TO MINIMISE
PHISHING ATTACKS?
W
ebroot has
revealed the
results of the 2019
Webroot Threat
Report, revealing
that the number of
phishing attacks
increased in 2018. The research also
shows that while tried and true attack
methods are still going strong, new
threats emerge daily and new vectors
are being tested by cybercriminals. The
report is derived from metrics captured
and analysed by Webroot’s advanced,
cloud-based Machine Learning
architecture, the Webroot Platform.
Notable findings:
Phishing attacks increased 36%, with the
number of phishing sites growing 220%
over the course of 2018.
Phishing sites now use SSL
certificates and HTTPS to trick Internet
users into believing they are secure,
legitimate pages.
www.intelligentciso.com
|
Issue 12
in phishing link click-through. The
research also showed that a total of
40% of malicious URLs were found on
good domains. Legitimate websites
are frequently compromised to host
malicious content. To protect users,
cybersecurity solutions need URL-level
visibility or, when unavailable, domain-
level metrics, that accurately represent
the dangers.
A total of 77% of phishing attacks
impersonated financial institutions
and were much more likely to use
HTTPS than other types of targets. In
fact, for some of the targeted financial
institutions, more than 80% of the
phishing pages used HTTPS. Google
was found to be the most impersonated
brand in phishing overall.
After 12 months of security awareness
training, end users are 70% less likely
to fall for a phishing attempt. Webroot
found that organisations that combine
phishing simulation campaigns with
regular training saw a 70% drop
Hal Lonas, CTO, Webroot, said: “We
wax poetic about innovation in the
cybersecurity field, but you only have to
take one look at the stats in this year’s
report to know that the true innovators
are the cybercriminals.
“They continue to find new ways to
combine attack methods or compromise
new and existing vectors for maximum
results. My call to businesses is to be
aware, assess your risk, create a layered
approach that protects multiple threat
vectors and, above all, train your users
to be an asset – not a weak link – in
your cybersecurity programme.”
27